XO-Timestamp Validation Missing in updatePrices Function
Summary
The vulnerability is in the updatePrices function, which accepts an array of IOracle.NewPrice structs as input and updates the prices for corresponding assets. However, the function fails to validate whether the timestamp of a new price is greater than the previous timestamp.
-The vulnerability is in the updatePrices function, the updatePrices function takes an array of IOracle.NewPrice structs as input. Each IOracle.NewPrice struct contains the asset's address, the timestamp of the new price, The new price, so the updatePrices function then iterates through the array and calls the putPrice function to update the price for each asset. However, the updatePrices function does not check to make sure that the timestamp of the new price is greater than the previous timestamp means that an attacker could create a NewPrice struct with a timestamp that is less than the previous timestamp. If the attacker is able to do this, the updatePrices function will update the price for the asset to the attacker's desired price.
Impact
The vulnerability allow an attacker to manipulate the price of an asset by creating a NewPrice struct with a timestamp that is less than the previous timestamp, . If the attacker is able to do this, the updatePrices function will update the price for the asset to the attacker's desired price.
XDZIBEC
medium
XO-Timestamp Validation Missing in updatePrices Function
Summary
updatePrices
function, which accepts an array ofIOracle.NewPrice
structs as input and updates the prices for corresponding assets. However, the function fails to validate whether the timestamp of a new price is greater than the previous timestamp.Vulnerability Detail
-The vulnerability is in the
updatePrices
function, theupdatePrices
function takes an array ofIOracle.NewPrice
structs asinput
. EachIOracle.NewPrice
struct contains the asset's address, the timestamp of the new price, The new price, so theupdatePrices
function then iterates through the array and calls the putPrice function to update the price for each asset. However, the updatePrices function does not check to make sure that thetimestamp
of the new price is greater than the previoustimestamp
means that an attacker could create aNewPrice
struct with atimestamp
that is less than the previoustimestamp
. If the attacker is able to do this, theupdatePrices
function will update the price for the asset to the attacker's desired price.Impact
NewPrice
struct with atimestamp
that isless
than the previoustimestamp
, . If the attacker is able to do this, theupdatePrices
function will update the price for the asset to the attacker's desired price.Code Snippet
Tool used
Manual Review
Recommendation
updatePrices
function should be modified to check thetimestamp
of the new price to make sure that it is greater than the previoustimestamp
.